The present disclosure relates to protection schemes to prevent access to information stored in electrical circuits.
Secure integrated circuit cards, commonly referred to as smart cards, may be of the form of an embedded integrated circuit hardware device that is small enough to fit into a user's pocket. Smart cards may be used in many situations where sensitive information must be stored and shared. For example, set-top boxes that facilitate pay-per-view or video-on-demand features may use a smart card to supply user account information to a provider along with a request for access to such features, and to subsequently decrypt encrypted digital video streams that may be provided in response to the request. As another example, a Subscriber Identity Module (SIM) card in a Global Systems for Mobile Communications (GSM) phone may be used to store a user's personal information, such as his or her phone book, device preferences, preferred network(s), saved text or voice messages and service provider information. A SIM card may allow a user, for example, to change handsets while retaining all of his or her information on the SIM card. Smart cards may be used in a variety of applications (e.g., electronic payment systems, including specialized auto-debit devices such as public transportation cards and personal identification documents, such as passports, drivers licenses, and medical identification cards).
Due to security concerns, encryption standards or algorithms may be used to protect sensitive information on a smart card. For example, the Digital Encryption Standard (DES) may be used to encrypt information with a 56-bit key. Access to private data may only be available to a holder of the key. Newer updates to this standard, such as Triple-DES and Advanced Encryption Standard (AES) may offer an even more complex (and secure) encryption key algorithm. Another example standard is RSA (an acronym derived from the surnames of its three creators—Rivest, Shamir and Adleman), a publickey encryption standard with private-key decryption. Because of the value of information that may be stored on and protected by a smart card, hackers may employ various techniques to break or bypass various encryption algorithms used to protect sensitive information on a smart card. These techniques may generally be categorized as invasive attacks and non-invasive attacks.
For example, a hacker may grind off a portion of the smart card packaging in order to access internal signals and bypass security measures that may be in place. As another example, a hacker may subject the smart card to various kinds of radiation (e.g., laser light directed to exposed internal circuits or x-ray or gamma radiation directed through packaging) in an attempt to corrupt protected data. In some implementations, corruption of protected data at certain locations in the device can cause the device to bypass security measures (e.g., encryption algorithms) or to yield information to the hacker regarding device architecture or the protected data itself.
Smart cards can also be subject to attacks such as code reverse engineering. In a reverse engineering attack, the goal of a hacker is to study embedded instructions and data (or “code”) in the smart card memory in order to clone the smart card functionality on an easily available programming device. Hardware countermeasures such as memory encryption and implanted read-only memories (ROMs) are commonly implemented on secure microcontrollers to prevent such code reverse engineering. However, the smart card's central processing unit (CPU) typically has unencrypted access to the entire program memory contents and can be manipulated to output the entire contents of memory. Once sensitive information has been extracted from a device, the information can be used for various nefarious purposes. For example, a hacker can obtain pay-per-view or video-on-demand services using another user's account; the hacker can access telecommunication services that are billed to another user; the hacker can steal another user's bank account funds; the hacker can steal another's identity; etc.